It is time for people to look at security from a user perspective and include users in the design process. Tog delivers this message scathingly, yet perhaps most succinctly:
``The universities, at least as evidenced by their graduates, are only interested in theory. That needs to change, and change now. The yellow sticky phenomenon has become so pandemic that it has received attention in both newspapers and business journals. I realized that many of these professors don't get out a lot, but they are at least supposed to read. Turning out graduates at this late date who are making security worse, instead of better, is just simply irresponsible." [Tognazzini, 2003]
The things cited in this paper are a good start, but they cannot be applied blindly. Each system should be designed with its users in mind. Some things will work in some environments but not others (for example, some alternatives to passwords require graphical capabilities that may not always be available or desireable). We need to consider the user environment, be it social, cultural or phsyical, and users' attitudes and desires. This may seem to be a lot of work, and that is part of the reason that useability is not always evaluated. However, it is hardly excessive to do this extra work if security is really a concern. Organizations need to balance the risk of intrusion with the work required to secure a system when deciding what to create [Flechais et al., 2003]. There are many circumstances in which this work would be justfied by the increased security that would result.
Only by taking users into account and trying to solve useability problems in secure interfaces can we ensure that systems will be secure in practice rather than just in theory.